New Apache

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in Apache 2.x, GNU Radius, libXpm,
CUPS, gdk-pixbug, cdrtools, SUS, and Webmin.

Apache 2.0.51

Version 2.0.51 of the Apache web server has been released. This new version of
Apache fixes the following security-related bugs: a minor denial-of-service vulnerability
in the code that handles IPv6 URI parsing can result in a single child instance
of the web server crashing; a buffer overflow in the code that parses configuration
files that may be exploitable by a local attacker using a .htaccess file to trigger
the overflow and execute code with the permissions of the web server; a denial-of-service vulnerability when proxying to a remote SSL server, where the remote
SSL server can, under some conditions, crash a child instance of the web server;
and a bug in WebDAV authoring that can be exploited using LOCK requests to crash
a child instance of the web server. In all of the listed denial-of-service attacks,
other instances of Apache will continue to handle web page requests. It is recommended
that all users of the version 2.x series of the Apache web server upgrade to version
2.0.51.

GNU Radius

The GNU version of the remote user authentication and accounting daemon Radius
is vulnerable to a buffer overflow that is reported to be exploitable in a denial-of-service attack that crashes the Radius daemon and denies service to users attempting
to authenticate. The buffer overflow is in code located in the asn_decode_string()
function and is reported to only be vulnerable when Radius is compiled with the
--enable-snmp option. Versions 1.1 and 1.2 of GNU Radius are reported to
be vulnerable. Users affected this vulnerability should upgrade to version 1.2.94
of GNU Radius or recompile Radius without the --enable-snmp option.

libXpm

The libXpm library contains multiple buffer overflows that may, under some conditions,
lead to arbitrary code being executed with the permissions of a victim who uses
an application linked against the libXpm library to view a carefully crafted XPM
file. Users should watch their vendors for updated packages that repair the buffer
overflows and replace any affected applications.

CUPS

CUPS, the Common Unix Printing System, is vulnerable to a denial-of-service attack
that, when executed by a remote attacker, will disable browsing and prevent the
CUPS server from seeing remote printer changes. This attack is conducted by sending
an empty UDP packet to port 631 on the victim's machine. In addition, a bug in
the foomatic-rip filter (which allows the use of a printer and driver database) can,
under some conditions, be exploitable by a remote attacker to execute arbitrary
code. The denial-of-service vulnerability has been repaired in CUPS version 1.1.21rc2
and in CUPS CVS repository. Users of the foomatic-rip filter package should watch
their vendors for updated packages or upgrade to foomatic 3.0.2.

gdk-pixbug

gdk-pixbug is reported to contain several buffer overflow bugs that may be exploitable
under some conditions to execute arbitrary code with the permissions of the user,
or used as part of a denial-of-service-type attack. These buffer overflows are
in the code that loads BMP, ICO, and XPM files. Users should watch their vendors
for a repaired version of gdk-pixbug.

cdrtools

Some versions of the cdrecord utility supplied with the cdrtools are vulnerable
to an attack if the package is installed set user id root. cdrecord does not drop
any root permissions before executing the command pointed to by the $RSH environmental
variable. A script to automate the exploitation of this problem has been released
to the public. Some vendors have patched cdrecord to prevent this problem. Affected
users should upgrade cdrtools to a repaired version and remove the set user id
bit from cdrecord or restrict who can execute it using a group.

SUS

SUS, a utility that allows specified users to execute certain commands with root
permissions, is reported to be vulnerable to a format-string-related bug that
may, under some conditions, be exploitable by a local attacker to execute any and
all commands with root permissions. SUS is also vulnerable to a format-string-bug-based vulnerability that may be exploitable by a local attacker to execute
arbitrary code with root permissions. Users of tools such as SUS or Sudo should
keep in mind that this is an expected vulnerability of utilities that allow users
to perform a limited number of commands with root permissions, and if they still
must use the tool, they should watch carefully for vulnerabilities in it. The
format-string bug is reported to be repaired in SUS version 2.0.6. For the present
time, users of SUS should install the latest available release.

Webmin

Webmin is a web-based toolkit for Unix systems that can administer user accounts,
controlling Apache, DNS, file sharing, and more. It is reported that, under some
conditions, Webmin may be vulnerable to a symbolic-link race condition due to an
insecure temporary directory. This can result in arbitrary files being written
with the permissions of the web server. There is also a vulnerability in the
web mail functionality of Webmin that may be exploitable by a remote attacker
to execute arbitrary shell commands as the user running the web server. Affected
users should upgrade to version 1.090 or newer of Webmin and should consider disabling
Webmin until it can be upgraded.